check user device mac address without doing mac-auth

Alan DeKok aland at
Wed Mar 22 15:55:06 UTC 2023

On Mar 22, 2023, at 11:44 AM, Eby Mani via Freeradius-Users <freeradius-users at> wrote:
>> You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.
> Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?.

  If that's where you want to put MAC addresses, yes.

>> The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
> Is it not possible to grab Calling-Station-Id from Access-Request and check against db ?. 

  That's not what I said.

> Somewhere i read additional checks can be done with Calling-Station-Id when using PPP. Does this feature only work with PPP / SLIP ?.


  Alan DeKok.

More information about the Freeradius-Users mailing list